DuquDetector released to forensically detect pest
The researchers at the lab credited with identifying the zero-day delivery mechanism of the Duqu bot, the Hungarian Laboratory of Cryptography and System Security (CrySyS), have released a toolkit for detecting the pest, even after components of it have been removed from a system.
The DuquDetector software comprises four executable tools which in turn scan for Duqu-infected system drivers, PNF files with "suspiciously high entropy", Duqu's temporary files and PNF files with no corresponding .inf files. It places these results in a logfile for an experienced practitioner to analyse. The combination of signature and heuristics-based analysis does mean that, as with other tools for detecting anomalies, false positives can get generated.
The four tools are bundled together with a batch file for simpler execution and the source code is supplied to allow security analysts to examine and re-compile the tools after auditing. Although the tools were initially listed as open source, they weren't licensed under a standard FOSS licence. The H Security contacted CrySyS and within hours CrySyS had re-released the tools under a GPLv3 licence. The manual gives more detail about the operation of the tools which are available to download.
NSS Labs has also released its own Duqu detector, a Python script which focuses primarily on pattern match scanning the system drivers. The BSD-licensed script is available from the developer's GitHub repository.
(djwm)